Thu Mar 1 13:49:29 2007

Welcome back to the 90s

By now I have come to accept that
around Y2K the music industry decided that innovation is no longer needed and
they can well make enough money by reselling and covering pretty much every
song ever written between 1960 and 1999. What's fascinating me is that vendors
in the computer industry have come to the same conclusion regarding the
security of their products. I can only see two potential reasons behind this:

The big vendors have come to
realize that they can sell their products with lots of vulnerabilities in them
as long as they appear reactive to vulnerability reports. Nobody gets sacked
for buying IBM, a proverb once vent. The same might be true for Sun, Cisco and
Symantec today.

Microsoft invested so much
money in the security of their product line and the industry was always "us
versus Microsoft", so they decided to kill the giant by going the other
direction and strictly and stubbornly not caring about product security and
quality (which, in fact, are very close to each other if not the same).

Congratulations to Sun Microsystems,
you successfully moved the Internet over a decade back in time. As of today, we
have a
new worm
spreading, exploiting an authentication
vulnerability in telnet of all things! In Solaris (SunOS 5.10 and 5.11),
you must know, there is no need to actually posses the password of a telnet
user. All you need to do to get a shell with the privileges of the user "adm" is:

SomeLinux$ telnet -l "-fadm" my.poor.sun.isp.net

The same would work for root, but
luckily the default installation of Solaris does not allow remote root telnet
logins. Not only is this an ages old type of vulnerability, it's reintroduced
by Sun into their latest operating system. How on earth can QA miss something
like that? In 1995, this type of vulnerability hit a long list of UNIX vendors
(see here).
Therefore, when hacking around in their telnetd
implementation, I would expect that at least someone would check if this new
feature they are implementing might be a very bad idea indeed.

But Sun just picks up where Cisco is
leading the pack right now. Let's take a look at a few of their recent
publications:

cisco-sa-20070228-nam
NAMs communicate with the Catalyst system by using the Simple Network Management
Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system
and the NAM an attacker may obtain complete control of the Catalyst system."

cisco-sa-20070213-iosips
The Intrusion Prevention System (IPS)
feature set of Cisco IOSŪ contains several vulnerabilities. These include:
Fragmented IP packets may be used to evade signature inspection, IPS signatures
utilizing the regular expression feature of the ATOMIC.TCP signature engine may
cause a router to crash resulting in a denial of service.

cisco-sa-20070124-crafted-tcp
The Cisco IOS Transmission Control
Protocol (TCP) listener in certain versions of Cisco IOS software is vulnerable
to a remotely-exploitable memory leak that may lead to a denial of service
condition.

cisco-sa-20070118-certs
The Cisco Security Monitoring,
Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device
Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) certificates or Secure Shell (SSH) public keys presented by
devices they are configured to connect to.

cisco-sa-20070105-csacs
Certain versions of Cisco Secure
Access Control Server (ACS) for Windows and the Cisco Secure ACS Solution
Engine (here after both referred to as purely Cisco Secure ACS) are affected by
multiple vulnerabilities that cause specific Cisco Secure services to crash.
Two of the vulnerabilities may permit arbitrary code execution after
exploitation of the specified vulnerability.

cisco-sa-20061025-csa
Cisco Security Agent (CSA) for Linux
contains a denial of service vulnerability involving port scans. By performing
a port scan against a system running a vulnerable version of CSA,
it is possible to cause the system to become unresponsive. Cisco Unified CallManager (CUCM) and Cisco Unified Presence Server (CUPS)
ship with a vulnerable CSA version.

I'm sorry this list gets so long, but
I'm really trying to just focus on the glaringly silly ones. To sum it up,
Cisco's security software and appliances crash when being presented with port
scans or intentionally malformed packets. Duh! Hello Cisco! These are the
devices your customers are paying a lot of money for to protect them against
the exact threats they are vulnerable against!
And a security analysis and response system that doesn't even validate any SSL
certificate or SSH key? What did your QA exactly test under the functionality
topic of authentication? Something along the lines of: "I logged in - check."?

At least the picture is consistent.
Sun, shipping UNIX since 1982, reintroduces a vulnerability type that was
considered extinct for more than a decade. Cisco, shipping IP routers since
1987, notices in 2007 that they still don't know how to correctly parse IPv4
options in a ping packet, even with their latest and greatest IOS XR.

So far, there have been no provable
relations between a company's turnover, stock price and market share and their
security track record. The only exception is of course Microsoft. I wonder if
that's what is really needed to make the other big ones understand the enormous
responsibility they have due to the cheer amount of today's daily life functionality
depending on their code. After all, when looking at the professional and social
life in today's Internet, it is indeed 2007 and not back in the 90s. Turn off
all Cisco equipment on the Internet and try to do your daily job - it might get
a little bit more difficult than usual.